Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3999 VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049) 25 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware vCenter Server VMware Cloud Foundation Publisher: VMWare Operating System: VMware ESX Server Virtualisation Impact/Access: Access Confidential Data -- Unknown/Unspecified Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2021-22049 CVE-2021-21980 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2021-0027.html - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory ID: VMSA-2021-0027 CVSSv3 Range: 6.5-7.5 Issue Date: 2021-11-23 Updated On: 2021-11-23 (Initial Advisory) CVE(s): CVE-2021-21980, CVE-2021-22049 Synopsis: VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049) 1. Impacted Products o VMware vCenter Server (vCenter Server) o VMware Cloud Foundation (Cloud Foundation) 2. Introduction Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 3a. vCenter Server updates address arbitrary file read vulnerability in the vSphere Web Client (CVE-2021-21980) Description The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5 . Known Attack Vectors A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information. Resolution To remediate CVE-2021-21980 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. Workarounds None. Additional Documentation None. Notes vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore this issue is not applicable to vCenter Server 7.x release line. Acknowledgements VMware would like to thank ch0wn of Orz lab for reporting this issue to us. Response Matrix: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation vCenter 7.0 Any CVE-2021-21980 N/A N/A Unaffected N/A N/A Server vCenter 6.7 Any CVE-2021-21980 7.5 important 6.7 U3p None None Server vCenter 6.5 Any CVE-2021-21980 7.5 important 6.5 U3r None None Server Impacted Product Suites that Deploy Response Matrix 3a Components: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Cloud Foundation 4.x Any CVE-2021-21980 N/A N/A Unaffected N/A N/A (vCenter Server) Cloud Foundation 3.x Any CVE-2021-21980 7.5 important Patch None None (vCenter Pending Server) 3b. vCenter Server updates address SSRF vulnerability in the vSphere Web Client (CVE-2021-22049) Description The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5 . Known Attack Vectors A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service. Resolution To remediate CVE-2021-22049 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. Workarounds None. Additional Documentation None. Notes vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore this issue is not applicable to vCenter Server 7.x release line. Acknowledgements VMware would like to thank magiczero from SGLAB of Legendsec at Qi'anxin Group for reporting this issue to us. Response Matrix: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation vCenter 7.0 Any CVE-2021-22049 N/A N/A Unaffected N/A N/A Server vCenter 6.7 Any CVE-2021-22049 6.5 moderate 6.7 U3p None None Server vCenter 6.5 Any CVE-2021-22049 6.5 moderate 6.5 U3r None None Server Impacted Product Suites that Deploy Response Matrix 3b Components: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Cloud Foundation 4.x Any CVE-2021-22049 N/A N/A Unaffected N/A N/A (vCenter Server) Cloud Foundation 3.x Any CVE-2021-22049 6.5 moderate Patch None None (vCenter Pending Server) 4. References Fixed Version(s) and Release Notes: vCenter Server 6.7 U3p Downloads and Documentation: https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VC67U3P& productId=742&rPId=78421 https://docs.vmware.com/en/VMware-vSphere/6.7/rn/ vsphere-vcenter-server-67u3p-release-notes.html vCenter Server 6.5 U3r Downloads and Documentation: https://customerconnect.vmware.com/downloads/details?downloadGroup=VC65U3R& productId=614&rPId=74057 https://docs.vmware.com/en/VMware-vSphere/6.5/rn/ vsphere-vcenter-server-65u3r-release-notes.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21980 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22049 FIRST CVSSv3 Calculator: CVE-2021-21980: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-22049: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/ PR:N/UI:N/S:C/C:L/I:L/A:L 5. Change Log 2021-11-23 VMSA-2021-0027 Initial security advisory. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYZ7efuNLKJtyKPYoAQgybQ//RWB98dO1feAcLLlodda5Lq5T8BihZMiY mHE7n62RpvDpq9HNxIlfLRIHQ62E+L1Jxiup84y7TZMssWCA7PoWqPg3BTcuPySv NczSjEDJoJm1SLK3DMUtvzMLoJqNv7yUpEEucHzZXKspLWEJtkWYqaYXhWN7zY0a nTWrrsamv4DrzoBYiu1Z0sK5n8V8BWUHUCC6w5boo+1/vbyBM5J6lc/hCviNfvor cCc3GFpACL1c5mhHQ21Pz79fFLPoZFpOKRaHviUM94UFFZGVXm1DX+hGkrCQdHaV Jk5LCrxaWaQhkb0Ma4tqLetkCti5nEi5SoeRYxBmWmprcvKGRiRXYiICga9XMhuU 9CCKAJ7h+Z3DVPfgNWfdBP+3GwpPx7y45eJL+h6x58sVLnamA38303a2trfUwRyy PfVjEbF64eKH8HRPFtDRn9vtLBjviqxyDrDGpR5UFTPygV/5LLsS7yDHBSFWyS50 Kyh2mWvINLhvqwxbct7mgU0n8mRDl2RZil2Y5GH31REfftW7BEh0h8UPiu5C0f4x aiPJMDxhePntcvl045wlB0Vp/B3sKIC2vrOdTod6CCQy8eXIXiAW7rw4p3ZCRiEm r2zjmc7B6T4Blf+RPPU3GNgy2NyQBGjYt+WVjypUtPEeh2h+XNvDRnfptMIsDuoD 88sbR8e+9nk= =VwAP -----END PGP SIGNATURE-----